Re: challenge!!! extraction of XML response values

yamini_37 · ‎05-12-2020

Hi All,

Please help me in extracting the response values of the below XML snapshot.

Finally , I want to display a table like below.

After mapping all these values perfectly, I would like to display a line graph based on measobjldn.
For example, my problem statement is to display the cpu_avg values of 4 different components(management 1, management 2, management 3, management 4) separately., where measinfoid= statistics.

I used the below query but it is a hard coded query. How can i map all the values perfectly without hard-coding the values.

index=AAA sourcetype=AAAB host=xxx | spath
| rename measInfo.measType as Request_type, measInfo.measValue.r as P_value, measInfo.measValue.r{@p} as P_type, measInfo.measValue{@measObjLdn} as MeasobjLdn, measInfo{@measInfoId} as Measinfo_id
| table time,host, Measinfo_id ,P_type,P_value
| eval temp2=mvzip(P_type,P_value,=)
| mvexpand temp2
| rex field=temp2 (?.+)=(?.+) |table _time host Measinfo_id P_type P_value |search Measinfo_id=statistics AND P_type=2 |streamstats count as sno by _time |eval ObjLdn=case(sno==1,"management 1",sno==2,"management 1",sno==3,"management 1",sno==4,"management 1") |table _time host InfoId P_type P_value sno Measobjldn |stats values(P_value) as P_Value by time,host,Measobjldn |xyseries _time Measobjldn P_value

Please correct this query and help me

to4kawa · ‎05-13-2020

| makeresults
| eval _raw="<?xml version=XXX>
<measCollecFile XXX>
<fileHeader XXX>
<measCollec XXX/>
</fileHeader>
<measData>
<measInfo measInfoId=\"statsitics\">
<job jobId=\"AAA\"/>
<measType p=\"1\">cpu</measType>
<measType p=\"2\">cpu_avg</measType>
<measType p=\"3\">cpu_peak</measType>
<measType p=\"4\">cpu_min</measType>
<measValue measObjLdn=\"Management 1\">
<r p=\"1\">5</r>
<r p=\"2\">5</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 2\">
<r p=\"1\">6</r>
<r p=\"2\">6</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 3\">
<r p=\"1\">4</r>
<r p=\"2\">4</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 4\">
<r p=\"1\">3</r>
<r p=\"2\">3</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
</measInfo>
</measData>
<fileFooter>
<measCollec XXX/>
</fileFooter>
</measCollecFile>"
| multikv noheader=t
| streamstats count(eval(match(_raw,"meas[IV]"))) as session
| stats list(_raw) as _raw by session
| sort session
| where match(mvindex(_raw,0),"\<\w")
| rex  ">(?<values>.*)<"
| rex "\"(?<name>.*)\""
| eval name=mvindex(name,0)
| transpose header_field=name
| where column="values"
| eval _counter=mvrange(0,mvcount(statsitics))
| fields - column
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>' , _counter) ]

I can't make vertical.

codebuilder · ‎05-13-2020

Set kvmode = xml in props.conf and cycle Splunk.

That will fix new incoming data.

For data that has already been ingested, append this to your search (after updating props and cycling):

| extract reload=T

----
An upvote would be appreciated and Accept Solution if it helps!

to4kawa · ‎05-13-2020

I see, I'll try.

to4kawa · ‎05-13-2020

sorry, I can't do it, because your sample is pics.

yamini_37 · ‎05-13-2020

No issues. Thanks for your time ☺

yamini_37 · ‎05-13-2020

@to4kawa Can you please help me

yamini_37 · ‎05-13-2020

@vnravikumar ... Can you please help me.

challenge!!! extraction of XML response values

simple XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation